fix: cgi.FieldStorage not available in Python 3.13 #1438
Conversation
|
@defnull is there anyway one can help you to get this merged? |
|
Tests do not actually pass yet and test coverage was lacking, so this should be considered a WIP for now and not ready to merge yet. I had a local version that has better test coverage and kinda works, but was not pushed yet because I'm still not confident enough that this is a proper replacement. I'll push a working version now and would appreciate some testing (correctness and performance) and feedback. |
|
Github actions are kinda useless for testing legacy python versions. I'll have to somehow get those tests working locally. We still want to support 2.7 and 3.6+ with the master branch. |
|
May out of scope here, but why do you still keen on supporting legacy python versions on the master branch? |
Yes you are right, that should not be a blocking issue for the next release. The 0.12 branch supports versions down to 2.5 and 3.2. An impressive feat and really nice for development in legacy environments, but no longer feasible with modern versions in mind. The master/main branch which should have been released years ago as 0.13 already dropped 2.5 and 2.6, which leaves 2.7 and 3.2+. But supporting 3.2 in a new release makes no sense anymore. Maybe we should just move on, prepare Bottle 1.0 with a Python 3.8+ requirement and call it a day. People that need support for EOL Python versions can still rely on Bottle 0.12 |
|
Ping. Do you need help with finishing this PR? |
Based on the work in bottlepy#1438 Signed-off-by: Oz Tiram <oz.tiram@gmail.com>
Based on the work in bottlepy#1438 Signed-off-by: Oz Tiram <oz.tiram@gmail.com>
|
Hello! I'd like to ask about the plans for this PR, Python 3.13 is approaching (Oct 1st 2024, one month). Thanks a lot for bottle and for trying to fix this. |
defnull
force-pushed
the
patch-py313-multipart
branch
3 times, most recently
from
595d813
to
8335971
Compare
|
The PR passes all tests now and also contains a documentation overhaul that was long overdue. I'll be off the computer for a couple of days and would like to ask everyone to have a look and provide feedback. I'm actually quite happy with it now and confident enough to consider merging. If there are no major issues, I'd try and merge this into main next week, do a bit more cleanup, and then prepare a 0.13 release. This will be an 'emergency release' that does break existing applications running on ancient Python versions, but still supports Python >=2.7.3 and a lot of 3.x releases (tested with 3.8-3.12). That should be fine for 99% of users, and those that are affected can and should stay on 0.12.x forever. Dropping Python 2 support completely is the next step, but too much of a change for right now. |
|
Thank for your effort. Great last moment. Enjoy your time off, and please think of solving the human resource problem. Currently, you are the only developer activity working on bottle with access to the GitHub organization. |
|
Some early feedback about this change. I have execute our test suite using this branch as source, 1330 unit tests, 2600 integration tests. I have also launched our bottle-based server application and tested it manually, with some real world (larger than tests) transfers. Thanks very much for your efforts again! |
|
This kind of feedback helps a TON in gaining confidence for a release after such a long time. Thanks a lot! |
|
Still found a bug. |
|
Sooo... there is a potential DoS vector in the current implementation, which also affected |
I think it is fair to keep it decoupled for now if it was already there in |
Standard library cgi.FieldStorage was deprecated in Python 3.11 and removed in 3.13. We now have to ship our own multipart form data parser implementation, which is a port of the existing 'multipart' module. The new parser is used for all python versions, which may break backwards compatibility for certain edge cases and error scenarios. For a 'good' request there should be no difference, though. What changed: * Lax newline parsing (accepting \r or \n in place of \r\n) is a security risk and no longer implemented. Most modern browsers and client libraries follow the spec and should not have any issues producing valid multipart data. * Parsing errors are no longer silently ignored, but trigger an appropiate 400 error.
Those are integration tests, not unit tests and lead to flapping test results.
This also prevents warnings for deprecated functions in the datetime module.
This is better described in more detail in docs/index.rst
defnull
force-pushed
the
patch-py313-multipart
branch
from
018a4dc
to
bc7e8e0
Compare
cgi.FieldStorage (used for multipart parsing) was deprecated in Python 3.11 and removed in 3.13. We now have to ship our own implementation (mostly a copy&paste from the
multipartmodule)